MANAGING MOBILE MEDIA AND THE SECURE TRANSPORT OF INGRESS AND EGRESS DATA IN CLOSED ENVIRONMENTS

Transcription

1 MANAGING MOBILE MEDIA AND THE SECURE TRANSPORT OF INGRESS AND EGRESS DATA IN CLOSED ENVIRONMENTS SUGGESTIONS FOR OPERATIONAL PROCEDURES TO SECURELY TRANSFER FILES USING TRESYS XD AIR Tresys Technology LLC 8840 Stanford Boulevard Columbia, Maryland 21045

2 1 INTRODUCTION This guide presents a starting point for the creation of a series of procedures for the management and tracking of data and data media destined for and originating from Digital Assets. Throughout the data transfer process, it remains imperative to handle externally sourced data media in a manner isolating these devices from direct interaction with Digital Assets. This document has been developed as a guide template for licensees in conjunction with Nuclear Energy Institute document Cyber Security Plan for Nuclear Power Reactors (NEI 08-09) to comply with the requirements of 10 CFR The goal is act as a starting point to facilitate the implementation of the media protection policy and associated media protection controls which include the methodology that defines the purpose, scope, roles, responsibilities, and management commitment in the areas of media receipt, storage, handling, sanitization, removal, reuse, and disposal necessary to provide a high assurance that the risk of unauthorized disclosure [or introduction] of information that could be used in a cyber-attack to adversely impact the safety, security, and emergency preparedness functions of the nuclear facility is prevented (quote from NEI Appendix E.1, Media Protection). The adoption of new technology provides many benefits including better data analysis tools and reporting, higher efficiencies, and quicker turn-around in troubleshooting and repair. With these benefits, it is becoming increasingly important be able to pass data to and from systems that reside in locations isolated from general access networks. This guide provides a basic procedural structure for the management of data media intended for Digital Assets both for inbound ingress data (for example, introducing software updates) or for outbound egress data (for example, extracting troubleshooting log files). This template emphasizes fully documented tracking of data media (for example, CD/DVDs and USB drives) and the separation of data media sourced from external entities from the data media used with restricted Digital Assets. 2 GLOSSARY/DEFINITIONS 2.1 Digital Asset Any digital computer, communication system or network, control system or any other system used in the operation of the location or facility. Legacy analog systems should also be included if the system has a digital interface (ex. used for updating features or log exporting) 2.2 Data Ingress The process by which new data may be brought in to a given location or facility. For example, digital asset software updates. This includes file types of all kinds (ex. text configuration files, updates, executables, programs, Microsoft Office documents, pdfs, images, etc.) 2 Rev. 1.0

3 2.3 Data Egress Data (or, more likely, a copy of the data) to be removed from the location or facility. For example, logging, status or error reports. This includes file types of all kinds (ex. text configuration files, updates, executables, programs, Microsoft Office documents, pdfs, images, etc.). 2.4 Media Media is generally used for the storage (temporary or long-term) or transport of digital data. Media includes but is not limited to: Optical media o CD-ROM o CDR o CD±RW o DVD-ROM o DVD±RW USB flash drives CompactFlash cards SD cards External hard drives (via USB, SATA, esata, etc.) External solid state drives (via USB, SATA, esata, etc.) Floppy disks Other devices with data storage capability (such as mobile phones, MP3 players, etc.) attached via USB, Firewire, etc. 2.5 Media source The entity, individual, company, etc. that is responsible for media and the data contained thereon. For example, the media source for a digital asset software update would be the associated vendor. As another example, the media source could be an internal software development group that creates new operational configuration files Local requirements may dictate the expansion of these procedures to accommodate a delineation of media sources Internal media sources include those individuals within the jurisdiction of the location security authority External media sources certainly include entities outside the licensee company (ex. vendors), but may also include licensee employees, contractors, representatives, etc. from other licensee locations. 2.6 Media Pool The media pool is a closely controlled set of clean, blank, securely erased, and reformatted media that are made available for use within a secured area. All media within the pool has previously been 3 Rev. 1.0

4 checked-in, following the complete check-in procedure (inventory entry, tagging and tracking, cleaning, etc.). Media removed from the pool must follow the complete check-out procedure (inventory tracking, etc.). 2.7 Secure Erased Media The Secure Erase process overwrites all accessible media blocks present on the storage device using a methodology provided by the Government to accomplish complete erasure. The media is then reformatted. 3 REQUIREMENTS The procedures in this guide template must be implemented and modified as necessary for complete compliance with location and facility security policies. 4 PROCESSES FOR DATA MEDIA MANAGEMENT The complete life-cycle management of data media minimizes security exposure for internal Digital Assets. These management processes detail the proper usage and tracking of data media. These processes are built on elemental Procedures given in Section New Media This process is for newly acquired unused media for inclusion in the media pool Register media in Media Inventory Tracking (see 6.1.1) Check-In media to Media Pool (see 6.2) 4.2 Retire Media This process is for the handling of unusable media Dispose of media (see 6.8) 4.3 Data Ingress This process details the steps for the introduction of external data to a Digital Asset Register external media in Media Inventory Tracking (see 6.1) Check-out available internal media from Media Pool (see 6.3) Data Transfer from external to internal media (see 6.6) Quarantine external media (see 6.7) Use internal media for data ingress to Digital Asset Scan internal media for infection (see 6.5) 4 Rev. 1.0

5 If media is not clean notify local Security authorities Check-in internal media (see 6.2) Dispose of external media (see 6.8) 4.4 Data Egress This process details the steps for the exporting of data from a Digital Asset Check-out available media from Media Pool (see 6.3) Extract Egress Data from Data Asset using checked-out media Scan media for infection (see 6.5) If media is not clean notify Security Department Determine media destination If media is to be removed from facility follow If media is to be transferred to external media Register external media in Media Inventory Tracking (see 6.1.1) Transfer Data from internal to external media (see 6.6) Check-in internal media (see 6.2) Dispose of external media (see 6.8) 4.5 Lost Media This process details the handling of lost media (internal or external) Notify owner or responsible entity Update Media Tracking information. 4.6 Found Media This process details the handling of found media (internal or external) 5 Rev. 1.0

6 4.6.1 Notify owner or responsible entity Update Media Tracking information Internal media Scan internal media for infection (see 6.5) If media is not clean notify Security Department Check-in internal media (see 6.2) External media Dispose of external media (see 6.8) 5 PROCEDURES The proper handling of data and associated media has been broken down into elemental procedures. The day-to-day operational processes (Section 5) built from these procedures. 5.1 Media Inventory Tracking The tracking the location and life-cycle of all media is central to the management and safe use of mobile media. This is particularly important in any post-event forensic analysis. A centralized easily accessible (possibly web-based) database would be ideal. Updates to the tracking data should be time-stamped Media registration Information identifying the media and its use should be recorded, including but limited to: Ownership The ownership of the media should specify whether this is intended for the internal media pool or from external sources, whether the media ownership will be transferred (ex. the vendor provides the media to be kept by local personnel left onsite Media identification (as applicable) Type (USB flash, DVD, etc.) Brand Model Serial number Tagging All media should be tagged to permit tracking, including but not limited to: Owner Local responsible individual Assigned unique tracking number If found contact information 6 Rev. 1.0

7 5.1.2 Track life-cycle of media intended for media pool and external media Check-in Tracking should include the name of the responsible person Check-out Tracking should include the name of the responsible person, the intended use of the media and identification of digital assets to be used with the media Scanning Tracking should indicate the success or failure and the name of the responsible person Cleaning Tracking should include the name of the responsible person Media disposal Tracking should include the name of the responsible person, the reason for disposal and the final means of disposition. 5.2 Check-In This process returns or adds new media to the media pool Check-in is applicable to new and used media Clean the media If the media fails this, dispose of media (see 6.8) Physically return the media to media pool location Update media tracking information. 5.3 Check-Out The process temporarily or permanently removes media from the media pool Remove the media from the pool Update media tracking information. 5.4 Cleaning This process ensures the media is free from unintended data. Generally, the media is completely rewritten with useless data (for example, all zeros) and then reformatted. The Tresys Technology XD Air product provides a complete secure erasure and reformatting of media. 7 Rev. 1.0

8 5.4.1 Follow vendor procedures for cleaning the data media If the media fails this, dispose of media (see 6.8) Update media tracking information. 5.5 Scanning This process non-destructively analyses media for unintended data including viruses, malicious code, non-policy filetypes, obfuscated data, dirty words, etc. A 100% compliance, pass/fail view should be taken Tresys Technology XD Air The Tresys Technology XD Air product provides state-of-the-art file analysis and filtering technology which: Detect virus or malware infected files Clean and verify files are cleansed Remove unknown file types Remove steganography Analyze, remove, and cleanse embedded objects Remove or cleanse color or size obfuscated text Remove macros from documents Remove or cleanse metadata Remove unrecognized data Validate file formats Identifies hidden content Indicate the success or failure within the media tracking system Scan Success Media is available for use (or for next step in current process) Scan Failure Data Ingress Media Media that fails the scan should NOT be used on Digital Assets Data Egress Media Media that fails the scan which was used on Digital Assets to export data indicates the Digital Asset has been compromised Contact local security authorities for proper handling of this compromised media. As appropriate, dispose of media (see 6.8). 8 Rev. 1.0

9 5.5.5 Exceptions The scanning product used may have the capability to provide controlled and logged exception-handling of data that normally would fail the scanning process. For example, it may be policy that no executables (programs) can be ingress data, but a digital asset can only be updated via a vendor supplied update executable Though scanning products cannot guarantee an executable is completely safe, they can provide a means of uniquely identifying an executable to permit the exception to that one executable during the scanning process. The process will recognize the executable, log the exemption and pass the scan This exception handling requires additional process and authentication by local security authorities. 5.6 Secure Data Transfer This process securely transfers data from a particular source media to a previously cleaned destination media. The process scans and filters source data for local policy and security compliance. This process is a destructive process for the destination media. That is, this process cleans the destination before writing the data Obtain source media The source media can be provided from internal or external sources (ex. a USB from a vendor) Obtain destination media Media must be Checked-Out from Media Pool Initiate Secure Data Transfer following vendor procedure Review Secure Data Transfer results The resulting files on the destination media have passed the filtering and scanning policies. They may include a mix of Unmodified original data files Modified original data files (ex. local policy may dictate that metadata be removed from Office files) Some file will not be transferred, failing to pass the filtering and scanning policies Based on the results of the transfer to the destination media determine whether to continue with the intended Data Ingress. 5.7 Quarantine The intent of the Quarantine is to physically isolate external media from Digital Assets. 9 Rev. 1.0

10 5.7.1 This procedure applies to all external media, whether the media contains data intended or appropriate to Digital Assets External media contacting ingress data should have the date securely transferred to clean internal media via a Secure Data Transfer (see 6.6) Render external media inaccessible. Options include but not limited to Locked location Tamper-Evident containers or bags 5.8 Media disposition When media can no longer accurately store data, permit the storage of new data (ex. single-use CD- ROMs) or otherwise is deemed unusable, it must be properly disposed of External media Update media tracking information Return to external entity Remove from facility Internal Media to be removed from facility Update media tracking information Remove from facility Aging, failing media Update media tracking information Physically dispose or destroy as directed by local policies 10 Rev. 1.0

11 6 FLOWCHARTS FOR PROCESSES FOR DATA MEDIA MANAGEMENT Physical Media Management Data Management Follow New Internal Media Flowchart [8.2] Ingress, Inbound What is the direction of the data transfer? Egress, Outbound Follow Retire Internal Media Flowchart [8.2] Follow Ingress Data Transport Flowchart [8.1] Follow Egress Data Transport Flowchart [8.1] Follow Lost Media Flowchart [8.2] Follow Found Media Flowchart [8.2] 11 Rev. 1.0

12 6.1 Data Transport Flowchart Secure Data Transfer Start Ingress, Inbound Data Transfe r Ingress, Inbound What is the direction of the data transfer? Egress, Outbound Egress, Outbound Data Transfer Register external media device in Media Inventory Tracking [6.1.1] Check-out internal media from Media Pool [6.3] Check-out internal media from Media Pool [6.3] Extract egress data from Data Asset using internal media Securely transfer data from external media to internal media using Tresys XD Air [6.6] Scan internal media for infection using Tresys XD Air [6.5] Quarantine external media [6.7] Use internal media to transfer ingress data to Digital Asset Notify Security authorities of infection No Is the internal media free from infection? Yes Scan internal media for infection using Tresys XD Air [6.5] Dispose of external media [6.8.1] Yes Will the internal media be removed from facility? Is the internal media free from infection? Yes Check-in internal media to Media Pool [6.2] No Dispose of external media [6.8.1] Notify Security authorities of infection Register external media device in Media Inventory Tracking [6.1] Secure Transfer egress data from internal media to external media Yes No Will egress data be transferred to external media? No Check-in internal media to Media Pool [6.2] 12 Rev. 1.0

13 6.2 Media Management Media Management Start New Internal Media Retire Internal M di Lost Media Foun d M di Register internal media device in Media Inventory Tracking [6.1.1] Dispose of internal media [6.8.3] Notify owner or responsible entity Notify owner or responsible entity Check-in internal media to Media Pool [6.2] Update Media Tracking System [6.1] Update Media Tracking System [6.1] Dispose of external media [6.8.1] External Internal or External Media? Internal Scan internal media for infection using Tresys XD Air [6.5] Notify Security authorities of infection No Is the internal media free from infection? Yes Check-in internal media to Media Pool [6.2] 13 Rev. 1.0